CN106470214B - Attack detection method and device - Google Patents
Attack detection method and device Download PDFInfo
- Publication number
- CN106470214B CN106470214B CN201610919494.2A CN201610919494A CN106470214B CN 106470214 B CN106470214 B CN 106470214B CN 201610919494 A CN201610919494 A CN 201610919494A CN 106470214 B CN106470214 B CN 106470214B
- Authority
- CN
- China
- Prior art keywords
- message
- request message
- attack
- request
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides an attack detection method and device, wherein the method is applied to WAF equipment and comprises the following steps: after receiving a request message from a terminal device, detecting the request message; when the request message is determined to be an attack message, discarding the request message; when the request message is determined to be an undetermined message, modifying the destination port number of the request message into a preset re-detection port number, and then sending the re-detection port number to the server so that the server detects the request message, and when the request message is determined to be an attack message, discarding the request message; and when the request message is determined to be a legal message, sending the request message to the server. The technical scheme of the application can break through the processing bottleneck of the WAF equipment and improve the identification accuracy of the attack message.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an attack detection method and apparatus.
Background
With the rapid development of the internet, web applications are more and more abundant, and the security threats faced by web servers are also gradually increased. In order to prevent an attacker from stealing server data, a WAF (Web Application Firewall) device may be generally deployed between the terminal device and the server, and is used to detect whether a request message sent by the terminal device to the server is an attack message. When the access amount of the server is large, the WAF device can receive a large amount of request messages, and it is very critical how to break through the processing bottleneck of the WAF device and improve the identification accuracy of the attack messages.
Disclosure of Invention
In view of this, the present application provides an attack detection method and apparatus to solve the problems of processing bottleneck and low recognition accuracy of the WAF device in the related art.
Specifically, the method is realized through the following technical scheme:
in a first aspect, the present application provides an attack detection method, where the method is applied to a WAF device, and includes:
after receiving a request message from a terminal device, detecting the request message;
when the request message is determined to be an attack message, discarding the request message;
when the request message is determined to be an undetermined message, modifying the destination port number of the request message into a preset re-detection port number, and then sending the re-detection port number to the server so that the server detects the request message, and when the request message is determined to be an attack message, discarding the request message;
and when the request message is determined to be a legal message, sending the request message to the server.
In a second aspect, the present application provides an attack detection method, which is applied to a server, and includes:
after receiving a request message sent by WAF equipment, detecting whether a destination port number of the request message is a preset re-detection port number;
if the destination port number of the request message is a preset re-detection port number, determining that the request message is a to-be-determined message, and detecting whether the to-be-determined message is an attack message;
and when the undetermined message is determined to be an attack message, discarding the undetermined message.
In a third aspect, the present application provides an attack detection apparatus, where the apparatus is applied to a WAF device, and includes:
the detection unit is used for detecting the request message after receiving the request message from the terminal equipment;
a discarding unit, configured to discard the request packet when it is determined that the request packet is an attack packet;
the first sending unit is used for modifying the destination port number of the request message into a preset re-detection port number and then sending the modified destination port number to the server when the request message is determined to be an undetermined message, so that the server detects the request message, and discards the request message when the request message is determined to be an attack message;
and the second sending unit is used for sending the request message to the server when the request message is determined to be a legal message.
In a fourth aspect, the present application provides an attack detection apparatus, which is applied to a server, and includes:
the port number detection unit is used for detecting whether a destination port number of a request message is a preset re-detection port number or not after receiving the request message sent by the WAF equipment;
a message detection unit, configured to determine that the request message is a to-be-determined message and detect whether the to-be-determined message is an attack message if a destination port number of the request message is a preset re-detection port number;
and the discarding unit is used for discarding the undetermined message when the undetermined message is determined to be the attack message.
Analyzing the above technical solution, it can be known that the WAF device can detect the received request packet to determine the type of the received request packet, and for the request packet determined as the attack packet and the legal packet, the WAF device can refer to the processing flow in the related art to process the request packet, and for the pending packet that needs to be further detected, the WAF device can forward the pending packet to the server, and the server further detects the pending packet. Compared with the related art, when the access amount is large, the server can further perform attack detection on the pending message, so that the processing pressure of the WAF device can be reduced.
Drawings
FIG. 1 is a flow chart illustrating a method of attack detection according to an exemplary embodiment of the present application;
FIG. 2 is a flow chart of another attack detection method shown in an exemplary embodiment of the present application;
fig. 3 is a hardware structure diagram of a device in which an attack detection apparatus according to an exemplary embodiment of the present application is located;
fig. 4 is a hardware structure diagram of another device where an attack detection apparatus is located according to an exemplary embodiment of the present application;
FIG. 5 is a block diagram of an attack detection apparatus shown in an exemplary embodiment of the present application;
fig. 6 is a block diagram of another attack detection apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In the related art, when a user realizes internet services such as browsing a web page and the like through a terminal device, the terminal device may establish an HTTP connection with a server, and send a request message to the server based on the HTTP connection, so as to obtain related service data. After receiving the request message, the server may construct a response message carrying the relevant service data for the request message and send the response message to the terminal device. In order to prevent an attacker from attacking the server by using the request message, the WAF device may be deployed between the terminal device and the server, and the WAF device may detect the request message sent by the terminal device to the server. When the WAF device determines that a certain request message is an attack message, the message can be discarded to prevent an attacker from attacking the server.
Referring to fig. 1, a flowchart of a method for forwarding a packet according to an exemplary embodiment of the present application is shown, where the method may be applied to a WAF device, and includes the following steps:
step 101: after receiving a request message from a terminal device, detecting the request message.
In this embodiment, after the terminal device establishes the HTTP connection with the server, the terminal device may send a request message to the server to obtain the related service data, and the WAF device deployed between the terminal device and the server may receive the request message. After receiving the request message, the WAF device may first detect the request message to determine the type of the request message, and then may have different processing flows for different types of request messages.
In an optional embodiment, the WAF device may detect whether the request packet carries a preset first-class feature code, and detect whether the request packet matches a preset feature rule, to determine a type of the request packet, where the first-class feature code and the feature rule may be input by a user in advance and stored in the WAF device, and the feature rule may be used to search for a character string that meets some complex rules. Specifically, the WAF device may first detect whether the request packet carries the first type feature code, and then detect whether the request packet matches the feature rule when the request packet carries the first type feature code; and when the request message does not carry the first-class feature codes, detecting whether a header field or a preset key field of the request message carries coded data which cannot be analyzed.
For example, an attacker may acquire server database data by using SQL (Structured Query Language) injection attack messages, and partial fields of the SQL injection attack messages are shown in table 1 below:
| SELECT | column name | FROM | Table name |
TABLE 1
Referring to table 1, when an attacker wants to obtain the contents of a column named LastName FROM a database table named Persons stored in a server, a SQL statement of SELECT LastName FROM Persons may be used. Therefore, when detecting whether the received request message is an SQL injection attack message, the SELECT can be set as a first type of feature codes, and a feature rule is set to detect that the beginning is a word SELECT, any non-line-feed character is in the middle, and the end is a character string of a word FROM. If the WAF device detects SELECT in a certain request message and the request message is matched with the characteristic rule, the request message is proved to accord with the SQL grammar rule and has the function of acquiring the data of the server database, namely the request message is the SQL injection attack message. Therefore, for a request message which not only carries the preset first-class feature code but also matches with the preset feature rule, the WAF device may determine that the request message is an attack message. If the WAF device detects the SELECT in a certain request message, but the request message is not matched with the characteristic rule, the request message is not in accordance with the SQL grammar rule, but the legal request message does not carry the SELECT generally, so the request message can be determined as a pending message. Therefore, for a request message carrying a preset first-class feature code but not matching with a preset feature rule, the WAF device may determine that the request message is an undetermined message. For a request message which does not carry the preset first-class feature code and is not matched with the preset feature rule, the WAF device may determine that the request message is a legal message.
It should be noted that, the above detection scheme generally cannot detect whether the encoded request packet carries the first-type feature code. Thus, an attacker can circumvent attack detection by the WAF device by encoding the first class signature. In another example, when a header field or a preset key field of a received request message carries encoded data, the WAF device may analyze the request message based on a preset algorithm, and detect whether the analyzed request message carries a preset first-class feature code, where the key field may be preset by a user. However, when the encoded data carried by a certain request message is complex, it takes a long time to analyze the request message, and more processing resources of the WAF device need to be occupied, so the WAF device may not analyze the request message, but deliver it to the server for attack detection. For such a request message carrying the coded data that cannot be analyzed in the header field or the preset key field, the WAF device may also determine that the request message is an undetermined message.
Step 102: and when the request message is determined to be an attack message, discarding the request message.
In this embodiment, based on the detection result of the foregoing step 101, when the WAF device determines that the request packet is an attack packet, the request packet may be discarded without forwarding the request packet to the server, so as to protect the server from being attacked.
In an optional embodiment, the WAF device may add the source IP address of the attack packet to a blacklist when determining that the request packet is an attack packet, and may subsequently identify the attack packet through the blacklist without detecting again, thereby improving the identification efficiency of the attack packet.
Step 103: and when the request message is determined to be an undetermined message, modifying the destination port number of the request message into a preset re-detection port number, and then sending the re-detection port number to the server so that the server detects the request message, and when the request message is determined to be an attack message, discarding the request message.
In this embodiment, based on the detection result in the foregoing step 101, when the WAF device determines that the request packet is an undetermined packet, the WAF device may modify a destination port number of the request packet to a preset retest port number and then send the retest port number to the server, where the retest port number may be set by a manager and is used to identify the undetermined packet. After receiving the request message with the destination port number being the re-detection port number, the server may determine that the request message is an undetermined message, and the server needs to further detect the undetermined message to determine whether the undetermined message is an attack message. When the server detects that the message to be determined is an attack message, the message to be determined can be discarded so as to protect the server from being attacked.
Step 104: and when the request message is a legal message, sending the request message to the server.
In this embodiment, based on the detection result in the foregoing step 101, when the WAF device detects that the request packet is neither an attack packet nor an undetermined packet, it may be determined that the request packet is a valid packet, and the request packet is forwarded to the server. After receiving the request message, the server may respond to the request message, that is, construct a response message carrying relevant service data, and send the response message to the terminal device, so as to implement the user service.
As can be seen from the foregoing embodiments, the WAF device may detect the received request packet to determine the type of the received request packet, and for the request packet determined as an attack packet and a valid packet, the WAF device may refer to a processing flow in the related art to process the request packet, and for an undetermined packet that needs to be further detected, the WAF device may forward the undetermined packet to the server, and the server further detects the packet to be detected. Compared with the related art, when the access amount is large, the server can further perform attack detection on the pending message, so that the processing pressure of the WAF device can be reduced.
Referring to fig. 2, a flowchart of another packet forwarding method according to an exemplary embodiment of the present application is shown, where the method may be applied to a server, and includes the following steps:
step 201: after receiving a request message sent by WAF equipment, detecting whether a destination port number of the request message is a preset re-detection port number.
In this embodiment, with reference to the foregoing steps 103 and 104, when determining that the request packet is an undetermined packet, the WAF device may modify the destination port number of the request packet to a preset retest port number, and send the modified request packet to the server, so that the server may determine whether the request packet is an undetermined packet or a valid packet according to the destination port number of the received request packet. Specifically, after receiving a request message sent by the WAF device, the server may first detect whether a destination port number of the request message is a preset retest port number, and in actual implementation, when monitoring the message at the retest port, the server may determine that the message is an undetermined message. If so, indicating that the request message is an undetermined message, and further detecting the undetermined message by the server to determine whether the undetermined message is an attack message; otherwise, the server can respond to the legal message, that is, construct a response message carrying the relevant service data, and send the response message to the terminal device, so as to implement the user service.
Step 202: and if the destination port number of the request message is a preset re-detection port number, determining that the request message is a message to be determined, and detecting whether the message to be determined is an attack message.
In this embodiment, based on the detection result in step 201, if the destination port number of the request packet is the preset retest port number, it indicates that the request packet is an undetermined packet, and the server needs to further detect the undetermined packet to determine whether the undetermined packet is an attack packet.
In an optional embodiment, when it is determined that the received request packet is an undetermined packet, the server may perform attack detection on the undetermined packet, and at this time, a code in the server that executes an attack detection function may be referred to as an agent. Specifically, the agent may perform feature detection on the pending message first. Similar to the WAF device, the agent may also analyze the message to be determined based on a preset algorithm to eliminate the influence of the interference factor on the attack detection. Wherein the interference factors may include: interference scrambling, encoding, etc. For example, the agent may first identify and remove the interfering code in the pending message, such as: spaces may be identified and compressed, annotations identified and replaced, case-to-case conversions, rewrite recognition, and the like. In addition, the agent may also decode various encoded data carried by the packet to be determined, for example: HTML entity decoding, URL decoding, Unicode decoding, etc. After the agent eliminates the interference factors, the agent may also detect whether the pending message carries a first type feature code, and detect whether the pending message matches a feature rule, where the first type feature code and the feature rule may be input by a user and stored in a server. When the pending message carries the first class feature codes and is matched with the feature rules, the pending message can be determined as an attack message.
It should be noted that the above attack detection process of the server and the attack detection process of the WAF device may overlap to prevent missing detection. In this embodiment, the complex procedures of removing the interference code and decoding are performed by the server, and the WAF device only needs to perform the simple procedures of removing the interference and decoding, which is beneficial to reducing the processing pressure of the WAF device.
If the agent still cannot determine whether a certain pending message is an attack message based on the processing flow, the constructed virtual server can perform simulation response on the pending message. Specifically, the virtual server may construct a response packet of the pending packet, and the agent may detect whether the response packet carries preset sensitive information, for example: user privacy information stored in the server, etc., and the sensitive information may be input by the user in advance and stored in the server. When the response message carries the sensitive information, the undetermined message corresponding to the response message can be determined as an attack message. At this time, the server does not send the response message constructed by the virtual server to the terminal equipment, so as to protect the data security of the server.
In another example, if the agent detects that a certain response packet does not carry the sensitive information, the agent may compare the response packet with a corresponding pending packet to detect whether the response packet and the pending packet carry the same information. When the response message and the pending message carry the same information, it may be determined that the pending message is an attack message. At this time, the server does not send the response message constructed by the virtual server to the terminal equipment, so as to protect the data security of the server.
Step 203: and when the undetermined message is determined to be an attack message, discarding the undetermined message.
In this embodiment, based on the detection result in the foregoing step 202, when the server determines that the pending message is an attack message, the pending message may be discarded without responding to the pending message, so as to protect the server from being attacked.
In an optional embodiment, in combination with step 202, when it is detected that the response packet of the pending packet carries preset sensitive information, the server may determine that the pending packet is an attack packet, and at this time, may construct an attack notification carrying a source IP address of the attack packet, and send the attack notification to the WAF device. When receiving the attack notification, the WAF device can add the source IP address of the attack message into the blacklist according to the IP address carried in the attack notification, and subsequently can identify the attack message through the blacklist without re-detection, thereby improving the identification efficiency of the attack message.
When detecting that the pending message and the response message carry the same information, the server may determine that the pending message is an attack message, and at this time, may construct a source IP address carrying the attack message and an attack notification of the same information, and send the attack notification to the WAF device. When receiving the attack notification, the WAF device may also add the IP address carried in the attack notification to a blacklist, and may also store the same information as the second type feature code. Subsequently, for the received request message whose source IP address is not in the blacklist, the WAF device may further detect whether the request message carries the second-type feature code. If the request message is detected to carry the second type feature code, the WAF device can determine that the request message is an attack message and discard the request message without performing subsequent detection on the request message. If it is detected that the request packet does not carry the second type feature code, the WAF device may detect, in combination with the foregoing step 101, whether the request packet carries a preset first type feature code, and whether the request packet matches a preset feature rule, so as to determine the type of the request packet. By adopting the method, the processing pressure of the WAF equipment can be further reduced, and meanwhile, the identification accuracy of the WAF equipment on the attack message can be improved.
In another example, the WAF device may also generate a log from the received attack notifications for viewing by the user. The log may record the IP address that has been blacklisted, and may also record the reason for adding the IP address to the blacklist, such as: carrying sensitive information, carrying feature codes of a second type, and the like.
As can be seen from the foregoing embodiments, the WAF device may detect the received request packet to determine the type of the received request packet, and for the request packet determined as an attack packet and a valid packet, the WAF device may refer to a processing flow in the related art to process the request packet, and for an undetermined packet that needs to be further detected, the WAF device may forward the undetermined packet to the server, and the server further detects the packet to be detected. Compared with the related art, when the access amount is large, the server can further perform attack detection on the pending message, so that the processing pressure of the WAF device can be reduced. In addition, a virtual server running on the server performs simulation response on the message to be determined, whether the message to be determined is an attack message or not is determined according to the response message of the message to be determined, the attack message which cannot be detected by WAF equipment in the related technology can be detected, and the identification accuracy of the attack message is improved. The server can also send the source IP address of the attack message and the information carried by the response message and the undetermined message to the WAF device so that the WAF device can learn the novel attack message and can be used for subsequent attack detection, and the identification accuracy of the attack message can be improved while the processing pressure of the WAF device is reduced.
Corresponding to the embodiment of the attack detection method, the application also provides an embodiment of the attack detection device.
The embodiment of the attack detection device can be respectively applied to the WAF equipment and the server. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading corresponding computer program instructions in the non-volatile memory into the memory for running through the processors of the WAF device and the server where the device is located. From a hardware aspect, as shown in fig. 3, a hardware structure diagram of a WAF device in which the attack detection apparatus of the present application is located is shown in fig. 4, and a hardware structure diagram of a server in which the attack detection apparatus of the present application is located is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3 and 4, the WAF device and the server in which the apparatus is located in the embodiment may also include other hardware according to an actual function of the attack detection, which is not described again.
Referring to fig. 5, a block diagram of an attack detection apparatus according to an exemplary embodiment of the present application is shown, where the attack detection apparatus 500 may be applied to the WAF device shown in fig. 3, and includes:
a detecting unit 501, configured to detect a request packet from a terminal device after receiving the request packet;
a first discarding unit 502, configured to discard the request packet when it is determined that the request packet is an attack packet;
a first sending unit 503, configured to, when it is determined that the request packet is an undetermined packet, modify a destination port number of the request packet to a preset retest port number and send the modified destination port number to the server, so that the server detects the request packet, and when it is determined that the request packet is an attack packet, discard the request packet;
a second sending unit 504, configured to send the request packet to the server when it is determined that the request packet is a legal packet.
In an alternative embodiment, the detecting unit 501 may include:
a feature detection subunit 5011, configured to detect whether the request packet carries a preset first type of feature code, and detect whether the request packet matches a preset feature rule;
a first determining subunit 5012, configured to determine that the request packet is an attack packet when the request packet carries the first type feature code and matches the feature rule;
a second determining subunit 5013, configured to determine that the request packet is an undetermined packet when the request packet carries the first type of feature code but does not match the feature rule, or when a header field or a preset key field of the request packet carries coded data that cannot be analyzed.
Referring to fig. 6, which is a block diagram of another attack detection apparatus shown in an exemplary embodiment of the present application, the attack detection apparatus 600 may be applied to the server shown in fig. 4, and includes:
a port number detection unit 601, configured to detect whether a destination port number of a request packet is a preset re-detection port number after receiving the request packet sent by the WAF device;
a message detecting unit 602, configured to determine that the request message is a to-be-determined message if a destination port number of the request message is a preset re-detection port number, and detect whether the to-be-determined message is an attack message;
a second discarding unit 603, configured to discard the pending packet when it is determined that the pending packet is an attack packet.
In an optional embodiment, the packet detection unit 602 may include:
a constructing subunit 6021, configured to construct a response message of the to-be-determined message based on the virtual server;
a response detection subunit 6022, configured to detect whether the response packet carries preset sensitive information;
a third determining subunit 6023, configured to determine that the to-be-determined packet is an attack packet when the response packet carries the sensitive information.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (8)
1. An attack detection method applied to a Web Application Firewall (WAF) device is characterized by comprising the following steps:
after receiving a request message from a terminal device, detecting the request message;
when the request message is determined to be an attack message, discarding the request message;
when the request message is determined to be an undetermined message, modifying the destination port number of the request message into a preset re-detection port number, and then sending the re-detection port number to a server so that the server detects the request message, and when the request message is determined to be an attack message, discarding the request message;
when the request message is determined to be a legal message, sending the request message to the server;
the detecting the request message includes:
detecting whether the request message carries a preset first class feature code or not, and detecting whether the request message is matched with a preset feature rule or not;
when the request message carries the first class feature codes and is matched with the feature rules, determining the request message as an attack message;
and when the request message carries the first type of feature codes but is not matched with the feature rules, or when header fields or preset key fields of the request message carry coded data which cannot be analyzed, determining that the request message is an undetermined message.
2. The method of claim 1, further comprising:
when an attack notification sent by a server is received, if the attack notification carries a second type of feature codes, the second type of feature codes are stored; the attack notification is sent by the server when the undetermined message is determined to be an attack message, the second-class feature code is information carried by a response message and the undetermined message corresponding to the response message, and the response message is constructed by a virtual server running on the server;
the detecting the request message further includes:
detecting whether the request message carries the second type feature code;
and when the request message carries the second type feature code, determining the request message as an attack message.
3. An attack detection method, applied to a server, the method comprising:
after receiving a request message sent by WAF equipment, detecting whether a destination port number of the request message is a preset re-detection port number; when the WAF equipment determines that the request message carries a preset first-class feature code but is not matched with a preset feature rule or the header field or a preset key field of the request message carries coded data which cannot be analyzed, the WAF equipment modifies the target port number of the request message into a preset re-detection port number and sends the modified re-detection port number; or the request message is sent by the WAF device when the WAF device determines that the request message does not carry the first-class feature codes and the header field or the preset key field of the request message does not carry the coded data which cannot be analyzed;
if the destination port number of the request message is a preset re-detection port number, determining that the request message is a to-be-determined message, and detecting whether the to-be-determined message is an attack message;
and when the undetermined message is determined to be an attack message, discarding the undetermined message.
4. The method according to claim 3, wherein the detecting whether the pending message is an attack message comprises:
constructing a response message of the message to be determined based on a virtual server;
detecting whether the response message carries preset sensitive information or not;
and when the response message carries the sensitive information, determining the undetermined message as an attack message.
5. The method according to claim 4, wherein the detecting whether the pending message is an attack message further comprises:
detecting whether the response message and the pending message carry the same information or not;
when the response message and the undetermined message carry the same information, determining the undetermined message as an attack message;
and sending an attack notice to the WAF equipment, wherein the attack notice carries the source IP address of the undetermined message and the same information, so that the WAF equipment adds the source IP address into a blacklist, stores the same information as a second class feature code, and determines the request message as an attack message when detecting that the received request message carries the second class feature code.
6. An attack detection apparatus, the apparatus being applied to a WAF device, the apparatus comprising:
the detection unit is used for detecting the request message after receiving the request message from the terminal equipment;
the first discarding unit is used for discarding the request message when the request message is determined to be an attack message;
the first sending unit is used for modifying the destination port number of the request message into a preset re-detection port number and then sending the modified destination port number to a server when the request message is determined to be an undetermined message, so that the server detects the request message, and discards the request message when the request message is determined to be an attack message;
the second sending unit is used for sending the request message to the server when the request message is determined to be a legal message;
the detection unit includes:
the characteristic detection subunit is used for detecting whether the request message carries a preset first-class characteristic code or not and detecting whether the request message is matched with a preset characteristic rule or not;
the first determining subunit is configured to determine that the request packet is an attack packet when the request packet carries the first class feature code and matches the feature rule;
and a second determining subunit, configured to determine that the request packet is an undetermined packet when the request packet carries the first type of feature codes but is not matched with the feature rule, or when a header field or a preset key field of the request packet carries coded data that cannot be analyzed.
7. An attack detection apparatus, the apparatus being applied to a server, the apparatus comprising:
the port number detection unit is used for detecting whether a destination port number of a request message is a preset re-detection port number or not after receiving the request message sent by the WAF equipment; when the WAF equipment determines that the request message carries a preset first-class feature code but is not matched with a preset feature rule or the header field or a preset key field of the request message carries coded data which cannot be analyzed, the WAF equipment modifies the target port number of the request message into a preset re-detection port number and sends the modified re-detection port number; or the request message is sent by the WAF device when the WAF device determines that the request message does not carry the first-class feature codes and the header field or the preset key field of the request message does not carry the coded data which cannot be analyzed;
a message detection unit, configured to determine that the request message is a to-be-determined message and detect whether the to-be-determined message is an attack message if a destination port number of the request message is a preset re-detection port number;
and the second discarding unit is used for discarding the undetermined message when the undetermined message is determined to be the attack message.
8. The apparatus of claim 7, wherein the packet detection unit comprises:
the constructing subunit is used for constructing a response message of the to-be-determined message based on the virtual server;
the response detection subunit is used for detecting whether the response message carries preset sensitive information;
and the third determining subunit is configured to determine, when the response packet carries the sensitive information, that the pending packet is an attack packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610919494.2A CN106470214B (en) | 2016-10-21 | 2016-10-21 | Attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610919494.2A CN106470214B (en) | 2016-10-21 | 2016-10-21 | Attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106470214A CN106470214A (en) | 2017-03-01 |
| CN106470214B true CN106470214B (en) | 2020-03-06 |
Family
ID=58230886
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610919494.2A Active CN106470214B (en) | 2016-10-21 | 2016-10-21 | Attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106470214B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107277025A (en) * | 2017-06-28 | 2017-10-20 | 维沃移动通信有限公司 | A kind of Secure Network Assecc method, mobile terminal and computer-readable recording medium |
| CN107360162B (en) * | 2017-07-12 | 2020-01-21 | 北京奇艺世纪科技有限公司 | Network application protection method and device |
| CN107634964B (en) * | 2017-10-13 | 2020-05-12 | 杭州迪普科技股份有限公司 | WAF (Wireless Access Filter) testing method and device |
| CN107979610A (en) * | 2017-12-14 | 2018-05-01 | 广东天网安全信息科技有限公司 | The safety protecting method that a kind of fire wall communicates in big data |
| CN109040128B (en) * | 2018-09-18 | 2020-09-22 | 四川长虹电器股份有限公司 | WAF reverse proxy detection method based on offline pcap flow packet |
| CN110381053A (en) * | 2019-07-16 | 2019-10-25 | 新华三信息安全技术有限公司 | A kind of message filtering method and device |
| CN110912936B (en) * | 2019-12-20 | 2022-02-18 | 东软集团股份有限公司 | Media file security situation perception method and firewall |
| CN112153001B (en) * | 2020-08-21 | 2023-06-23 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, WAF-based network communication system, electronic device and storage medium |
| CN113190838A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack behavior detection method and system based on expression |
| CN113630417B (en) * | 2021-08-12 | 2023-09-26 | 杭州安恒信息安全技术有限公司 | WAF-based data transmission method, WAF-based data transmission device, WAF-based electronic device and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581803A (en) * | 2004-05-20 | 2005-02-16 | 中国科学院软件研究所 | Safety platform for network data exchange |
| CN101257388A (en) * | 2008-04-08 | 2008-09-03 | 华为技术有限公司 | Lawless exterior joint detecting method, apparatus and system |
| CN101626345A (en) * | 2009-07-23 | 2010-01-13 | 中兴通讯股份有限公司 | Message processing method and real-time stream protocol application layer gateway in home gateway |
| CN103475746A (en) * | 2013-08-09 | 2013-12-25 | 杭州华三通信技术有限公司 | Terminal service method and apparatus |
| CN103532964A (en) * | 2013-10-22 | 2014-01-22 | 邱文乔 | Method for verifying TCP (transmission control protocol) connection security |
| CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
| CN104468267A (en) * | 2014-11-24 | 2015-03-25 | 国家电网公司 | Information safety penetration testing method for distribution automation system |
| CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100440811C (en) * | 2006-12-25 | 2008-12-03 | 杭州华三通信技术有限公司 | Detection method and device for network attack |
| CN102404318B (en) * | 2011-10-31 | 2015-09-09 | 杭州迪普科技有限公司 | A kind of method and device taking precautions against DNS cache attack |
| CN103856470B (en) * | 2012-12-06 | 2018-06-19 | 腾讯科技(深圳)有限公司 | Detecting method of distributed denial of service attacking and detection device |
| CN104580074B (en) * | 2013-10-14 | 2018-08-24 | 阿里巴巴集团控股有限公司 | The login method of client application and its corresponding server |
-
2016
- 2016-10-21 CN CN201610919494.2A patent/CN106470214B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581803A (en) * | 2004-05-20 | 2005-02-16 | 中国科学院软件研究所 | Safety platform for network data exchange |
| CN101257388A (en) * | 2008-04-08 | 2008-09-03 | 华为技术有限公司 | Lawless exterior joint detecting method, apparatus and system |
| CN101626345A (en) * | 2009-07-23 | 2010-01-13 | 中兴通讯股份有限公司 | Message processing method and real-time stream protocol application layer gateway in home gateway |
| CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
| CN103475746A (en) * | 2013-08-09 | 2013-12-25 | 杭州华三通信技术有限公司 | Terminal service method and apparatus |
| CN103532964A (en) * | 2013-10-22 | 2014-01-22 | 邱文乔 | Method for verifying TCP (transmission control protocol) connection security |
| CN104468267A (en) * | 2014-11-24 | 2015-03-25 | 国家电网公司 | Information safety penetration testing method for distribution automation system |
| CN104853003A (en) * | 2015-04-30 | 2015-08-19 | 中国人民解放军国防科学技术大学 | Netfilter-based address and port hopping communication implementation method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106470214A (en) | 2017-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106470214B (en) | Attack detection method and device | |
| CN109951500B (en) | Network attack detection method and device | |
| US10140451B2 (en) | Detection of malicious scripting language code in a network environment | |
| CN106330944B (en) | Malicious system vulnerability scanner identification method and device | |
| US8893278B1 (en) | Detecting malware communication on an infected computing device | |
| US20170054745A1 (en) | Method and device for processing network threat | |
| US9038178B1 (en) | Detection of malware beaconing activities | |
| US9043917B2 (en) | Automatic signature generation for malicious PDF files | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| CN108932426B (en) | Unauthorized vulnerability detection method and device | |
| US8769692B1 (en) | System and method for detecting malware by transforming objects and analyzing different views of objects | |
| CN106911637A (en) | Cyberthreat treating method and apparatus | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| WO2018076697A1 (en) | Method and apparatus for detecting zombie feature | |
| EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
| CN106911640A (en) | Cyberthreat treating method and apparatus | |
| CN109660517B (en) | Abnormal behavior detection method, device and equipment | |
| US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
| Zhang et al. | Detecting malicious activities with user‐agent‐based profiles | |
| CN105939328A (en) | Method and device for updating network attack feature library | |
| JP2019082746A (en) | Abnormal log detection apparatus, method and program for detecting abnormal log | |
| CN116738369A (en) | Traffic data classification method, device, equipment and storage medium | |
| CN107995167B (en) | Equipment identification method and server | |
| CN107332856B (en) | Address information detection method and device, storage medium and electronic device | |
| CN110784429A (en) | Malicious traffic detection method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |